Use this topic to manually migrate trust associations.
Before you begin
Note: Data sources are not supported for use within a Trust
Association Interceptor (TAI). Data sources are intended for use
within J2EE applications and designed to operate within the EJB and
web containers. Trust Association Interceptors do not run within a
container, and while data sources may function in the TAI environment,
they are untested and not guaranteed to function properly.
The
following topics are addressed in this document:
Changes to the product-provided trust
association interceptors
For the product-provided implementation
for the WebSEAL server, a new optional com.ibm.websphere.security.webseal.ignoreProxy
property is added. If this property is set to
true or
yes,
the implementation does not check for the proxy host names and the
proxy ports to match any of the host names and ports that are listed
in the com.ibm.websphere.security.webseal.hostnames and the com.ibm.websphere.security.webseal.ports
property respectively. For example, if the VIA header contains the
following information:
HTTP/1.1 Fred (Proxy), 1.1 Sam (Apache/1.1),
HTTP/1.1 webseal1:7002, 1.1 webseal2:7001
and the
com.ibm.websphere.security.webseal.ignoreProxy property is set to true or yes,
the host name Fred, is not used when matching the host names.
By default, this property is not set, which implies that any proxy
host names and ports that are expected in the VIA header are listed
in the host names and the ports properties to satisfy the isTargetInterceptor
method.
The previous VIA header information was split onto two
lines for illustrative purposes only.
For
more information about the com.ibm.websphere.security.webseal.ignoreProxy
property, see Configuring
single signon using trust association interceptor ++.
Migrating product-provided trust association interceptors
The
properties that are located in the webseal.properties and trustedserver.properties files
are not migrated from previous versions of WebSphere® Application Server. You must migrate
the appropriate properties to WebSphere Application Server Version 6.0.x using
the trust association panels in the administrative console. For more
information, see Configuring
trust association interceptors.
Changes
to the custom trust association interceptors
If the custom
interceptor extends the com.ibm.websphere.security.WebSphereBaseTrustAssociationInterceptor
property, implement the following new method to initialize the interceptor:
public int init (java.util.Properties props);
WebSphere Application Server checks the return
status before using the trust association implementation. Zero (0)
is the default value for indicating that the interceptor is successfully
initialized.
However, if a previous implementation of the trust
association interceptor returns a different error status, you can
either change your implementation to match the expectations or make
one of the following changes:
- Method 1:
- Add the com.ibm.websphere.security.trustassociation.initStatus
property in the trust association interceptor custom properties. Set
the property to the value that indicates the interceptor is successfully
initialized. All of the other possible values imply failure. In case
of failure, the corresponding trust association interceptor is not
used.
- Method 2:
- Add the com.ibm.websphere.security.trustassociation.ignoreInitStatus
property in the trust association interceptor custom properties. Set
the value of this property to true, which tells WebSphere Application Server to ignore the
status of this method. If you add this property to the custom properties, WebSphere Application Server does not check
the return status, which is similar to previous versions of WebSphere Application Server.
The public int init (java.util.Properties props
method replaces the public int init (String propsFile) method.
The
init(Properties) method accepts a java.util.Properties object, which
contains the set of properties that is required to initialize the
interceptor. All of the properties set for an interceptor are sent
to this method. The interceptor can then use these properties to initialize
itself. For example, in the product-provided implementation for the
WebSEAL server, this method reads the hosts and ports so that a request
coming in can be verified to come from trusted hosts and ports. A
return value of Zero (0) implies that the interceptor initialization
is successful. Any other value implies that the initialization is
not successful and the interceptor is not used.
The init(String)
method still works if you want to use it instead of implementing the
init(Properties) method. The only requirement is that you enter the
file name containing the custom trust association properties using
the
Custom Properties link of the interceptor in the administrative
console or by using scripts. You can enter the property using either
of the following methods. The first method is used for backward compatibility
with previous versions of
WebSphere Application Server.
- Method 1:
- The same property names used in the previous release are used
to obtain the file name. The file name is obtained by concatenating .config to
the com.ibm.websphere.security.trustassociation.types property value.
If the myTAI.properties file is located in the app_server_root/properties directory,
set the following properties:
- com.ibm.websphere.security.trustassociation.types = myTAItype
- com.ibm.websphere.security.trustassociation.myTAItype.config
= app_server_root/properties/myTAI.properties
- Method 1:
- The same property names used in the previous release are used
to obtain the file name. The file name is obtained by concatenating .config to
the com.ibm.websphere.security.trustassociation.types property value.
If the myTAI.properties file is located in the profile_root/properties directory,
set the following properties:
- com.ibm.websphere.security.trustassociation.types = myTAItype
- com.ibm.websphere.security.trustassociation.myTAItype.config
= profile_root/properties/myTAI.properties
- Method 2:
- You can set the com.ibm.websphere.security.trustassociation.initPropsFile
property in the trust association custom properties to the location
of the file. For example, set the following property:
com.ibm.websphere.security.trustassociation.initPropsFile=
app_server_root/properties/myTAI.properties
The
previous line of code is split into two lines for illustrative purposes
only. Type as one continuous line.
- Method 2:
- You can set the com.ibm.websphere.security.trustassociation.initPropsFile
property in the trust association custom properties to the location
of the file. For example, set the following property:
com.ibm.websphere.security.trustassociation.initPropsFile=
profile_root/properties/myTAI.properties
The previous line of code is split into two lines for
illustrative purposes only. Type as one continuous line.
In a WebSphere Application Server, Network Deployment installation,
where the location of the file name can vary for different nodes,
use the variable install_root to refer to the WebSphere Application Server installation directory.
However,
it is highly recommended that your implementation be changed to implement
the init(Properties) method instead of relying on the init (String
propsfile) method.
Migrating custom trust
association interceptors
The trust associations from previous
versions of WebSphere Application Server are
not automatically migrated to WebSphere Application Server Version 8.0. You can manually
migrate these trust associations using the following steps: